[00:02.850 --> 00:10.060]  Hello, and thank you for this opportunity to speak at the Crypto Village at DEF CON this year.
[00:10.060 --> 00:15.060]  My name is Megan DeBlois, and I'm going to be talking to you today about some of the privacy problems
[00:15.060 --> 00:19.240]  with COVID-19 apps that have been emerging across the globe.
[00:19.240 --> 00:23.640]  Our session is called, Who Needs Spyware When You Have COVID-19 Apps?
[00:23.640 --> 00:29.200]  A few caveats. We truly aren't saying all COVID-19 apps are spyware.
[00:29.200 --> 00:35.620]  We're trying to allude or describe the privacy problem that we feel very strongly
[00:35.620 --> 00:38.020]  and very passionate about as a group.
[00:38.420 --> 00:42.600]  A couple other caveats. We're not lawyers, and we're not professional researchers.
[00:42.600 --> 00:48.040]  We build things. We're a group of engineers and designers and project managers
[00:48.040 --> 00:52.040]  who really wanted to create something that could be useful to better understand
[00:52.040 --> 00:57.240]  the COVID-19 applications that have been popping up around the globe.
[00:58.340 --> 01:01.940]  So today, we're going to be just touching, scratching the surface.
[01:01.980 --> 01:07.580]  There's tons of information that we could get into.
[01:07.840 --> 01:11.320]  We really encourage others to check out our data set.
[01:11.320 --> 01:13.760]  It's an open data set that we've created.
[01:14.220 --> 01:20.960]  All of the data that we're going to be talking about today is really only updated since August 1st.
[01:20.960 --> 01:25.180]  And we know that things move and shift really quickly, but just keep that in mind.
[01:25.180 --> 01:30.640]  We're really only going to be looking at the graphs and the data between the beginning of the pandemic
[01:30.640 --> 01:35.340]  when we started collecting the data into August 1st, 2020.
[01:36.220 --> 01:40.600]  So today, we're going to be talking a little bit about the project, the people, the goals.
[01:40.600 --> 01:44.240]  We're going to jump down into sort of the problem.
[01:44.240 --> 01:49.540]  We have a few problems in the COVID-19 application space, as I'm sure many of you know.
[01:49.760 --> 01:53.040]  And we'll kind of touch base a little bit on the timeline,
[01:53.040 --> 01:56.500]  just remind ourselves sort of where we came from.
[01:56.500 --> 02:02.940]  And then we'll get into the ecosystem and really understand some of the trends that we've been able to deduce
[02:02.940 --> 02:05.960]  based on the data that we've been able to collect.
[02:06.240 --> 02:09.820]  And then we'll kind of end with some opportunities that we see.
[02:10.560 --> 02:13.460]  Our team, as I mentioned, my name is Megan DeBlois.
[02:13.500 --> 02:17.140]  I'm the volunteer product manager for this particular project.
[02:17.720 --> 02:25.600]  We are a completely volunteer-based team with Carlos Micas-Nadal, who's our back-end engineer,
[02:25.600 --> 02:30.600]  Zach Anderson, our front-end engineer, as well as Justin DeBlois, our UX designer.
[02:30.720 --> 02:36.660]  If you want to learn more about our team, please check it out at our website, covid19apptracker.org.
[02:36.660 --> 02:40.720]  And you can find a lot more information about us there.
[02:40.780 --> 02:45.420]  Get in touch at info at covid19apptracker.org.
[02:45.420 --> 02:48.140]  All right, so let's jump into the project.
[02:48.600 --> 02:54.400]  This particular project started back around March at the beginning of the pandemic
[02:54.400 --> 02:57.750]  when we first really saw a lot of applications popping up.
[02:58.440 --> 03:06.480]  Between then and August 1st, we have been able to detect around 120 applications
[03:06.480 --> 03:10.820]  related to COVID-19 around the world.
[03:10.820 --> 03:15.980]  Again, that number is last updated on August 1st, so we have a few more since then.
[03:16.340 --> 03:23.220]  But the main categories of COVID-19 applications that we are detecting here
[03:23.640 --> 03:28.020]  are contact tracing, of course. That's been a hot topic as of late.
[03:28.020 --> 03:33.840]  But we're also looking at symptom tracking applications and informational applications.
[03:33.980 --> 03:40.480]  Just quickly, to make sure folks understand where the data is coming from and how this works,
[03:40.480 --> 03:44.160]  we have a few different components of the application.
[03:44.280 --> 03:48.500]  We have a detection engine, and this is really something that we prioritize in this project
[03:48.500 --> 03:53.460]  is automated detection of the applications that are popping up on the Google Play Store.
[03:53.820 --> 03:58.860]  We really wanted to ensure that there was also a clean front end and we created an open data set.
[03:58.860 --> 04:01.720]  Those were sort of design decisions that we made at the very beginning
[04:01.720 --> 04:08.440]  to ensure that the data in the project would be potentially useful for researchers and others.
[04:08.440 --> 04:13.100]  So we have this app detection engine that automates scanning Google Play.
[04:13.100 --> 04:19.060]  It updates the database and it enriches a lot of the data that's collected there,
[04:19.060 --> 04:22.900]  funnels that through our database, and then pushes it out and deploys it
[04:22.900 --> 04:26.220]  to our front end web application over on GitHub pages,
[04:26.220 --> 04:32.980]  as well as dumps that data set into an open Google Sheet so that anyone can go there,
[04:32.980 --> 04:40.340]  go to our website and click the About page, and you will very easily be connected to that open data set.
[04:42.160 --> 04:47.560]  I'm not going to go into too much depth here, but a few constraints worth mentioning.
[04:47.560 --> 04:52.260]  We are a volunteer-based team, as many side projects are.
[04:52.260 --> 04:54.400]  We don't have funding. We have limited time.
[04:54.400 --> 04:58.220]  And so a lot of, again, the design decisions that we made throughout this process
[04:58.220 --> 05:01.120]  were based off of those two big constraints.
[05:01.120 --> 05:07.760]  Our main goal for this project from the very beginning was really to just understand the ecosystem.
[05:07.760 --> 05:09.500]  Things were popping up so quickly.
[05:09.500 --> 05:16.580]  It was to try to get a better sense of what exactly the ecosystem of applications
[05:16.580 --> 05:20.980]  being produced across the globe really look like across those three core areas,
[05:20.980 --> 05:25.080]  contact tracing, symptom tracking, and informational applications.
[05:25.200 --> 05:27.200]  Another goal was creating that open data set.
[05:27.200 --> 05:30.440]  And, of course, we all were doing this as a side project.
[05:30.440 --> 05:34.680]  We had our own personal learning goals throughout this project as well.
[05:35.960 --> 05:41.700]  So, we are probably all pretty familiar with this particular problem.
[05:41.700 --> 05:48.620]  Problem number one is that there has been this rapid deployment of this technology across the globe.
[05:49.020 --> 05:54.580]  Rapid deployment of technology often leads to more bugs, often leads to more vulnerabilities,
[05:54.580 --> 05:58.920]  with the potential for those vulnerabilities to be exploited.
[05:58.920 --> 06:01.540]  And we've seen this across several applications.
[06:01.540 --> 06:05.700]  This is one based in the United States that got in trouble for violating its own privacy policy
[06:05.700 --> 06:09.860]  because it was sharing information with a third party.
[06:10.060 --> 06:13.420]  The Qatar application, Amnesty International, did some great research
[06:13.420 --> 06:18.980]  and identified some security vulnerabilities that exposed personal details of more than a million users.
[06:19.400 --> 06:21.100]  And the list goes on.
[06:21.540 --> 06:28.460]  Norway had a lot of privacy issues with its application and decided to just stop deployment,
[06:28.460 --> 06:35.440]  to stop working on this particular application for now until it can really address the privacy concerns that were happening.
[06:36.560 --> 06:38.340]  And again, the list goes on and on.
[06:38.340 --> 06:40.560]  So, we all know this. That's problem number one.
[06:40.560 --> 06:44.300]  We're really not going to touch so much on that particular problem in this session.
[06:44.340 --> 06:46.720]  But problem number two is really where we're going to live.
[06:46.720 --> 06:49.720]  The data collection and permissions problem,
[06:49.720 --> 06:55.180]  which is sort of the privacy issues that are surrounding these COVID-19 applications.
[06:55.180 --> 07:03.640]  And the lack of transparency that really we don't have a lot of information around how governments are treating this data,
[07:03.640 --> 07:05.780]  what they're collecting, how they're using it,
[07:05.780 --> 07:10.620]  what the functional purpose is for the data that they are using or requesting.
[07:11.480 --> 07:16.460]  So, to jump back a little bit into the timeline to remind ourselves where we came from,
[07:16.460 --> 07:23.940]  around February of this year, this is when we started seeing a lot of COVID-19 related applications popping up all over.
[07:23.940 --> 07:26.000]  In my day job, I work for a nonprofit.
[07:26.000 --> 07:32.740]  I was being approached by a lot of journalists and a lot of human rights groups and activists asking about these applications.
[07:32.760 --> 07:35.080]  And should they be concerned about their privacy?
[07:35.900 --> 07:38.880]  The answer, obviously, was absolutely. I would be concerned.
[07:38.880 --> 07:42.940]  But there wasn't a whole lot of information around these applications at the time.
[07:43.300 --> 07:45.460]  Fast forward a month, we get into March.
[07:45.500 --> 07:48.800]  Google and Apple actually implement a crackdown on their app stores.
[07:48.800 --> 07:59.040]  And they say, look, you have to be a government or you have to be an official health authority to even produce and publish an application on our app stores.
[07:59.260 --> 08:05.640]  So, they did a little bit of cleaning house to try to make it a bit clearer what these applications are,
[08:05.640 --> 08:14.540]  make sure they have a better handle on the types of applications being downloaded and being produced on their app store.
[08:14.540 --> 08:27.740]  Then we get to April, where Google and Apple again announced their partnership to collaborate on this more privacy-respecting contact tracing technology called their Exposure Notification Framework.
[08:27.740 --> 08:31.420]  And privacy-respecting in the sense that it's not using geolocation.
[08:31.420 --> 08:37.120]  It's using Bluetooth proximity-based contact tracing, a contact tracing model.
[08:37.120 --> 08:40.040]  EFF has a great resource that y'all should check out.
[08:40.040 --> 08:41.680]  We're not going to get into it here.
[08:41.680 --> 08:44.420]  We're not experts on Apple and Google's technology.
[08:44.420 --> 08:51.040]  We really encourage you to look and take a look at the documentation from those who are more expert in that field.
[08:51.040 --> 08:56.700]  But it is worth mentioning because it's a topic of interest and it has a lot to do with privacy.
[08:57.100 --> 09:10.700]  In May 2020, kind of related to our project, MIT released a data set around contact tracing applications that they were tracking to better understand the ecosystem.
[09:10.700 --> 09:15.880]  And again, as I mentioned, we are really focused on automating the detection of the applications.
[09:15.960 --> 09:24.520]  But of course, we have to supplement some manual review and some manual entry or loading applications that our engine maybe didn't detect.
[09:24.520 --> 09:32.880]  And this was a great resource for us to pull some of their data into our data set to make sure that our data set is as robust as we can make it.
[09:33.460 --> 09:39.340]  We get into June, July, and August this summer, and we still have this data collection problem.
[09:39.340 --> 09:43.520]  We still have this privacy problem. And that's kind of where we end today.
[09:43.520 --> 09:47.860]  And that's kind of where we'll kind of really focus on in this particular presentation.
[09:48.260 --> 09:55.400]  So to look quickly at the ecosystem, how many apps are actually out there on the Google Play Store?
[09:56.460 --> 10:07.620]  Well, for our detection engine, we have detected, you know, on August 1st, we had detected 121 applications, which feels like a lot.
[10:07.700 --> 10:14.460]  We had those three different categories. They're not just contact tracing. They're also symptom tracking and informational applications.
[10:14.460 --> 10:23.500]  A couple things to note. The first data point we have is on May 10th. That is when we started tracking our first scene date.
[10:23.500 --> 10:26.920]  And that is our first scene date for our project and our engine.
[10:26.920 --> 10:33.940]  So it wasn't like there didn't exist applications before May 10th. Of course, applications existed before that date.
[10:33.940 --> 10:38.620]  But this is the first day that we started tracking that metric and deploying it.
[10:39.360 --> 10:42.060]  And we've seen an increase since then, clearly.
[10:43.640 --> 10:51.600]  Number of applications by country. For us, we were curious if there were certain countries producing or creating more applications than other countries.
[10:51.900 --> 11:01.400]  And what we found was indeed there are. So, excuse me. So we're going to zoom in a little bit to see that a little bit better.
[11:01.400 --> 11:14.860]  You can see from this graph, India is really leading, at least by August 1st, it was really leading the charge in creating applications across different municipalities in the country.
[11:14.860 --> 11:22.180]  India is very interesting. They have one very sort of nationwide application and a lot of different regional applications.
[11:22.620 --> 11:26.600]  The United States, not surprisingly for those who are familiar with
[11:27.820 --> 11:35.680]  with the United States, a lot of states have created their own applications. In the United States, there's not one single application for the nation.
[11:35.940 --> 11:45.840]  It's been hyper localized to the different states. And we can kind of see this across other countries as well. And so we found this quite interesting. Here's a couple examples in the US.
[11:46.080 --> 11:53.940]  This is one that was created, started in North Dakota and is being used right now in South Dakota and Wyoming, according to the description.
[11:53.940 --> 12:00.520]  We've also got, you know, Rhode Island has their own. Sonoma County, I think, has their own. Florida has their own application.
[12:00.880 --> 12:13.840]  And this is what we wanted to highlight this week. It was just released. It's the Virginia Department of Health application. It's the first application in the United States to implement the Apple and Google exposure notification framework.
[12:15.140 --> 12:19.620]  Which is that Bluetooth proximity contact tracing model.
[12:21.160 --> 12:25.520]  So, of course, we wanted to know also what is the impact on people.
[12:25.840 --> 12:40.660]  And our proxy for understanding that was really to kind of look at the scale of application usage and using downloads as sort of a metric that we could potentially see how scaled this
[12:41.640 --> 12:54.360]  This problem kind of is. So India, again, they've got more than a billion people in the country. They've got over 100 million downloads, according to Google Play, for their nationwide application.
[12:54.360 --> 13:01.440]  They sort of blow everyone else out of the water. They have the numbers and they have, you know, some interesting ways to
[13:02.160 --> 13:18.820]  sort of deploy that technology. So they're clearly winning in terms of raw numbers here. But if you look at the next greatest number of downloads that we could that we could see through our data set, we have this Colombian application called Corona Colombia.
[13:19.600 --> 13:30.240]  They have around 10 million downloads, which is pretty significant given the country is, you know, Google told me the country is 50 million people in Colombia. So that's a very interesting
[13:31.440 --> 13:35.300]  percentage of folks in the country that have downloaded the application.
[13:35.880 --> 13:45.380]  And, you know, we have this next grouping of around, you know, 5 million plus downloads across places like Turkey, Argentina, Malaysia, and Germany.
[13:45.380 --> 13:57.300]  And then we have this cluster in sort of the 1 million category here. So we can kind of get a sense of how many folks are actually downloading and potentially using these applications.
[13:58.920 --> 14:02.160]  Next we'll hop into privacy and permissions.
[14:03.040 --> 14:15.400]  We decided to do a bit of initial analysis on the open data set that we've collected using permissions again as this proxy to understand how privacy respecting some apps are over others.
[14:15.780 --> 14:17.520]  While understanding that
[14:18.520 --> 14:28.720]  Also, some of the specific privacy problem areas in these applications. So we decided to look at the top 10 permissions requested by applications.
[14:29.360 --> 14:43.940]  And right away for us, sort of the location problem jumped out. We have a lot of folks requesting a lot of applications requesting precise location or approximate location within the data set.
[14:45.240 --> 14:53.740]  This we're going to jump into. We're going to kind of talk a little bit more detail around location problems in a second, but that was very interesting for us.
[14:54.100 --> 15:06.540]  We also wanted to know who requested the most permissions out of our data and we had the highest number of permissions requested was 23. So that was our max permissions requested.
[15:07.520 --> 15:20.240]  And we had a few applications that all requested 23 different permissions and those were Lithuanian application, a regional Indian application. So it's not the hundred million
[15:20.240 --> 15:30.900]  download application. This is a specific municipality in India that's requesting this this number of permissions called TCOVID-19 app.
[15:31.720 --> 15:41.140]  And then we have Italy as well, who also requested the SM-COVID-19 application in Italy that requested 23 permissions. So we found this interesting.
[15:41.940 --> 15:56.400]  We also wanted to know who requested the least. So who's sort of not asking for anything. We had one application that didn't request a single thing. And that was the Pakistan National Action Plan for COVID-19 strictly informational application.
[15:56.400 --> 15:59.520]  And then we had a few that just requested one.
[15:59.860 --> 16:05.560]  A couple from Spain, one from Vietnam, another from Pakistan.
[16:06.960 --> 16:14.760]  So let's kind of revisit a little bit quickly the geolocation problems we sort of alluded to.
[16:14.760 --> 16:26.880]  Now, this is interesting because more applications actually requested precise location over approximate location. So we found this sort of to be also an interesting metric.
[16:27.320 --> 16:33.980]  Reminding us all that not all of the applications in our data set here are contact tracing applications.
[16:33.980 --> 16:40.220]  That is a model that certain countries are using in their applications is requesting location
[16:40.830 --> 16:49.480]  in their contact tracing efforts and their contact tracing mechanism that they've deployed across the country or across their specific region.
[16:49.920 --> 17:02.460]  So functionally, I think if you're a contact tracing application, you might not be using the most privacy respecting model, but we can at least logically potentially understand why you would request location.
[17:02.460 --> 17:14.100]  But for these symptom tracking and informational applications, I think there's a huge mismatch between what the function of the application is and then the permissions that are actually being requested.
[17:15.240 --> 17:24.660]  Obviously, the other really concerning bit here with geolocation is that most of these applications are government managed, government developed.
[17:24.660 --> 17:33.700]  This is a lot of sensitive data to just be giving up to the government and there are obvious surveillance and privacy problems around this.
[17:34.540 --> 17:45.400]  Many privacy experts have warned against contract tracing applications using GPS due to these privacy violations. And so this is something that I think is definitely worth
[17:45.400 --> 17:52.100]  delving deeper into who exactly are the applications requesting this information.
[17:54.660 --> 18:03.360]  So we mentioned the Google and Apple exposure notification framework, once again, because we see this as a potential area of opportunity.
[18:03.360 --> 18:13.140]  If we recall in the timeline, this was announced in April, Google and Apple released that joint announcement to collaborate on this interoperable
[18:13.140 --> 18:24.240]  contact tracing, proximity based contact tracing framework using Bluetooth. It does not use geolocation and there's a potential, we see potential here for
[18:25.110 --> 18:32.060]  helping some applications transition over to something that doesn't use geolocation.
[18:32.180 --> 18:38.260]  We took a quick look at the developer documents to just understand again a little bit more what
[18:38.860 --> 18:49.480]  what exactly is required. And it is really important to note that if you were to implement this Google and Apple technology, you actually cannot include requesting anything
[18:50.780 --> 19:01.400]  like course location, which is your approximate location, or find location, which is your precise location. And we've seen from the data. This is highly problematic. We have
[19:02.220 --> 19:13.940]  around 75% of our entire data set, entire applications in our data set requesting some form of location. So there's some very interesting potentially
[19:15.140 --> 19:25.340]  transitional problems here. It's not a whole lot of applications right now are implementing this Google Apple exposure notification framework.
[19:25.340 --> 19:32.780]  But you can potentially see some some problems here if they were to do a transition and to understand, you know,
[19:32.780 --> 19:49.180]  what non technological mechanisms do they have in these different regions in different countries that potentially are right now utilizing or leveraging location data that they're getting from applications. So it's, it's a big problem. We know this.
[19:49.760 --> 19:56.520]  What we wanted to do was really share and kind of a better understand some of the problems around this.
[19:58.180 --> 20:07.680]  As we all know, not all permissions are equally concerning in terms of privacy. And so we wanted to take a look at something Google
[20:07.680 --> 20:22.060]  and Android developers call the dangerous permissions. And dangerous permissions, according to Google, are permissions that could potentially affect the user's privacy or the device's normal operation.
[20:22.060 --> 20:32.140]  And the user must explicitly agree to grant those permissions if they're requested. And that's taken directly from the Android developer documentation.
[20:32.140 --> 20:39.560]  So what are the top dangerous permissions that we found were being requested within our data set?
[20:39.960 --> 20:48.360]  Not surprisingly, location is clearly a dangerous permission. We're not going to really talk about that much more because I think we've covered it.
[20:48.360 --> 20:57.400]  But we also see that storage, both reading the contents of the storage, as well as modifying and deleting the contents of your USB storage, are both considered dangerous
[20:58.020 --> 21:08.660]  permissions and we have around 50% requesting read access and we have around 46% of the data set requesting modifying access.
[21:09.060 --> 21:14.180]  Now this is where we feel like it gets more interesting. We're going to take a deeper dive on
[21:14.180 --> 21:26.320]  sort of the last two dangerous permissions listed here. And that's because if you're requesting this particular permission, you are no longer in the norm. You are an anomaly if you're requesting this.
[21:26.320 --> 21:36.000]  And so we thought it would be interesting to take a deeper look to see who actually is requesting this information. So who's requesting microphone access? There are a couple
[21:37.980 --> 21:46.700]  apps that we found quite interesting. There's this interesting US Department of Veteran Affairs COVID Coach application in the United States that requests this.
[21:46.700 --> 21:55.220]  The UAE has a few applications that request this, but really it's a mishmash of countries around the globe requesting this.
[21:55.800 --> 22:08.840]  Who's requesting reading your contacts? Now this also, again, we see that COVID Coach, this Department of Veteran Affairs application, makes another appearance. It's very odd to see that it's requesting this.
[22:09.180 --> 22:17.660]  But we also see is that the Corona Colombia shows up. And as we talked about before, this is an application that has a broad
[22:17.660 --> 22:27.060]  user base. You have over 10 million downloads, according to the Google Play Store, of this particular application. So a lot of people are using it.
[22:27.160 --> 22:30.300]  We also see that there are
[22:32.060 --> 22:47.440]  a couple other concerning applications. Turkey has around 5 million, at least 5 million downloads of that application. So the scale and reach and impact that this particular application, these particular applications have is pretty great.
[22:48.940 --> 22:58.980]  We also were curious about regional differences and we're just giving one example. You could take our data and look at specific regions you're interested in. We thought we would just take a quick look at
[22:59.540 --> 23:15.620]  are there any differences in dangerous permission requests between apps in the EU and apps out of the EU. And out of our data set, we have a quarter of the applications in there in that data set are EU countries.
[23:17.660 --> 23:28.020]  And what we found was quite interesting. We really see across the board that EU applications or countries based in the EU, if they're producing an application, they
[23:29.540 --> 23:43.140]  typically requested less dangerous permissions than non-EU applications. And we can see that across the board, looking at location, looking at storage, and even sort of those anomaly permissions at the bottom there.
[23:43.140 --> 23:51.380]  In some instances, for example, reading your contacts, no EU applications in our data set requested that dangerous permission.
[23:53.480 --> 24:08.560]  So researchers and advocates we feel are a really important part of this ecosystem of COVID-19 applications and we had a few that we really wanted to mention because they're doing great research and our goal is to create things that are useful for researchers and advocates.
[24:08.560 --> 24:21.200]  I think Fundación Carisma is one based in Colombia. They have done some really amazing privacy and security research of the applications and technologies that are being deployed in the country.
[24:21.200 --> 24:34.520]  And we would love to be able to work with groups like this and groups like others who are focused on privacy evaluations to figure out, you know, how we can better create or support those efforts, in particular,
[24:34.520 --> 24:45.300]  you know, understanding the ecosystem and publishing any sort of research and cross-publishing on our particular platform.
[24:45.300 --> 24:58.140]  We have groups like Amnesty International who are also doing great work analyzing applications in accordance to sort of who's who and
[25:00.120 --> 25:06.140]  in violating sort of privacy rights across the board across these applications.
[25:06.360 --> 25:21.440]  We've got EFF who also is doing great work and we've got a really cool project who inspired us to start looking more closely at the dangerous permissions that we really wanted to mention, which is the exodusprivacy.eu.org project where that actually analyzes
[25:22.760 --> 25:33.560]  Android applications to quickly determine how many trackers and how many dangerous permissions are being requested by the application.
[25:35.740 --> 25:38.620]  So what now?
[25:39.140 --> 25:48.820]  It probably feels a little bit like this. There are a lot of problems when it comes to these COVID-19 applications.
[25:48.820 --> 25:53.040]  There are a lot of privacy issues that we mentioned. So,
[25:53.600 --> 26:01.900]  we wanted to talk a little bit about opportunities here. And I think the first opportunity that we really feel strongly about is more privacy and security audits,
[26:01.900 --> 26:10.940]  more privacy and security evaluations of these applications and publish them. Publish them publicly. If you're a government who wants to build trust and build transparency
[26:12.420 --> 26:16.680]  to get more adoption of an application. This is one way we feel
[26:17.460 --> 26:22.880]  could be really potentially impactful to get that higher adoption rate that's needed.
[26:24.240 --> 26:35.260]  Better understand those adoption barriers to the Google and Apple exposure notification technology. I think this is one that we're particularly, you know, just interested in why there hasn't been more
[26:35.260 --> 26:49.140]  adoption. It sounds like based off of some of the reporting over the last couple weeks that there's going to be some movement there coming up. So we're really excited to, again, make sure that it's clear in our application to users
[26:50.420 --> 26:57.940]  which applications are more privacy respecting, not requesting dangerous permissions, not requesting location data,
[26:57.940 --> 27:03.540]  especially as more governments are getting into the market to develop these technologies.
[27:03.540 --> 27:12.240]  And we have a few other, you know, suggestions, opportunities, advocating for privacy respecting applications. Obviously, there are a lot of folks that are doing this already.
[27:12.440 --> 27:25.080]  We mentioned some of them, but we need more folks doing it. And I think one of the things for advocates, they really need information and it's been hard to get it. And so projects like this, we hope, can be useful to advocates
[27:25.080 --> 27:37.260]  to better inform, better create that narrative, and better create the argument for why privacy needs to be embedded in these applications from the onset, from the design.
[27:37.500 --> 27:43.140]  And of course, I think transparency standards for COVID-19 application are truly needed.
[27:43.560 --> 27:53.740]  Promoting open source technologies, transparent data collection and treatment, understanding and matching the function of the application with what is actually being requested in the application,
[27:53.740 --> 27:56.580]  and thinking critically about that.
[27:59.560 --> 28:09.060]  And sort of just a few final remarks. So, you know, we feel that the design decisions we're making right now really do have the potential for lasting impact on our privacy.
[28:09.300 --> 28:14.980]  And when developing any technology, we should always be thinking about the impact that technology will have long term.
[28:14.980 --> 28:25.700]  In times of crisis, sometimes it's easier to not think about that. And so really, we want to slow things down, make sure that privacy is being
[28:25.700 --> 28:34.560]  considered and there are certain standards and expectations of governments creating these technologies to make sure that we're not creating
[28:35.240 --> 28:39.160]  this lasting surveillance problem down the line.
[28:39.160 --> 28:48.900]  And as we create these technologies, really making sure we're looking at the positive use cases for impact, but also the misuse cases, the negative use cases for deploying this technology
[28:48.900 --> 28:55.410]  without taking the time to really design and embed privacy into these products.
[28:56.200 --> 29:03.420]  And with that, we end there. We'll be taking questions on the DEF CON Crypto Village Discord channel.
[29:03.420 --> 29:16.920]  But if you have any other questions, please contact us at info at covid19apptracker.org and thanks again for allowing us to present this project and giving us the opportunity. We really appreciate it.
